Plüm, Rüdiger, VF-Group wrote:
-----Original Message-----
From: Nick Gearls [mailto:[email protected]]
Sent: Donnerstag, 13. August 2009 08:51
To: [email protected]
Subject: Re: Certificate chain order not conform to TLS standard
I tried both order:
SSLCertificateFile conf/ssl/server.pem
SSLCertificateChainFile conf/ssl/chain.pem
where server.pem contains both the cert and the private key,
and chain.pem contains either CA/root or root/CA
Don't put the root cert in the chain file, only the intermediate certs.
Regards
Rüdiger
leaving the a self signed root should not be a problem:
This is a sequence (chain) of X.509v3 certificates. The sender's
certificate must come first in the list. Each following
certificate must directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority may optionally be omitted from the chain,
/P
